The invention is based on a priority application EP08290549.8 which is hereby incorporated by reference.
The invention relates to a method for protecting a packet-based network from attacks, the method comprising: performing an anomaly detection, in particular a statistical analysis, on session control messages, in particular on session initiation protocol, SIP, messages contained in a packet stream received in a security border node of the network, and to a computer program product adapted to perform the method. The invention further relates to a security border node for protecting a packet-based network from attacks, comprising: an anomaly detection unit for performing an anomaly detection, in particular a statistical analysis, on session control messages, in particular on SIP messages contained in a packet stream received in the security border node, and to a packet-based network comprising at least one such security border node.
The invention relates to the protection of packet-based networks such as communication/computer networks, in particular core networks, against any kinds of attacks. A core network may be implemented using the ETSI/TISPAN (Telecoms & Internet converged Services & Protocols for Advanced Networks), resp. next generation network (NGN) architecture with an 3GPP/IMS (IP multimedia subsystem) using session/application layer control (signalling) protocols such as the Session Initiation Protocol (SIP) for creating, modifying, and terminating sessions with one or more participants. In such a core network, attacks can occur on different layers (IP, transport, up to the application layer) and the attack strategy can vary. In particular, the application/session protocol stacks in the border nodes of a core network are highly jeopardized and therefore need a protection mechanism to achieve the requested high availability of the whole system, especially for well behaving users/devices. It is understood that the invention is not limited to NGN/IMS/TISPAN networks with SIP signalling, but pertains to all types of IP networks using other types of signalling protocols, e.g. SOAP (Simple Object Access Protocol), H.323, etc.
A core network 1 of the type described above is shown in FIG. 1. The core network 1 has multiple (security) border nodes 2a to 2f for connecting the core network 1 to access networks 3 which are themselves connected to end user equipment 4. Some of the border nodes 2a to 2f may also be used to connect the core network 1 to other core networks (not shown). Within the border nodes 2a to 2f, a security policy needs to be applied that immediately identifies valid from potentially dangerous traffic and identified fraud traffic needs to be blocked. For this purpose, firewalls operating on layer 3/layer 4 (of the OSI model) and signature analysis functions are applied to protect the network. These solutions require that the attack strategy is known in advance. However, upcoming attacks applying new strategies can pass these protection methods. Therefore, “zero day” (i.e. first appearance) attacks cannot be identified and may lead to serious disturbances.
Therefore, on the SIP application/session control layer, there are also different types of protection technologies dealing with different types of attacks: SIP message syntax attacks can be revealed and dealt with techniques such as ABNF (Augmented Backus-Naur Form) checkers. SIP message attacks, on the contrary, show a correct syntax and there is no signature known to identify them as malicious. For identifying these kinds of attacks, anomaly detection strategies are investigating binary and variable length (n-gram) sequences of a byte stream to detect new kinds of attack scenarios. (cf. e.g. “Language Models for Detection of Unknown Attacks in Network Traffic”, by K. Rieck, P. Laskov; Fraunhofer FIRST; http://www.springerlink.com). These mechanisms can detect “zero-day” attacks in a byte stream. However, these mechanisms do not have a (sequence) memory to detect attacks which get only visible by associating the n-th with the (n+m)-th sequence. Therefore, all those SIP message attacks which are constructed of a specific correlation (e.g. sequence number, time dependence, source/destination dependence and any combination of these) cannot be identified by and of today's techniques.